<translate>
System configuration
Accounts configuration
The password reset service runs the external validation script if specified. The account that runs the external validation script can be specified in the configuration tool to be different from the domain administrator account running the service.
It’s recommended to create a separate Group Policy Object (GPO) in Group Policy Management and enable it for the local system. Start -> Administrative Tools -> Group Policy Management if using a specialized account to run the external validation tool.
IMAGE GOES HERE
To create the GPO:
- Select the domain in the tree.
- Run in menu: Action -> Create a GPO in this domain, and link it here.
IMAGE GOES HERE
The GPO specifies a set of privileges. To edit the privileges:
- Select the GPO.
- Run in menu: Action > Edit...
The following privileges are necessary:
- Allow log on locally for the specified user account.
- Note that the wizard recommends adding Administrators to the list.
IMAGE GOES HERE
Replace a process level token.
IMAGE GOES HERE
The following image shows how the GPO appears after the changes.
IMAGE GOES HERE
To enforce the policy for the local system:
- Select the GPO.
- Run in menu: Action > Enforced
Using a Non-Administrator Account for Running the Password Reset Service
A domain user account can be used to run the service instead of a local administrator account. The account should also have the privileges Allow log on locally and Replace a system level token.
The account must have permissions to reset passwords for the domain. To configure, navigate to:
- Start > Administrative Tools > Active Directory Users and Computers
To delegate the permissions:
- Run in menu: View > Advanced Features
- Select the domain name and run in the menu: Action > Delegate Control…
IMAGE GOES HERE
- Add the user to the list.
IMAGE GOES HERE
- Set the task Reset user passwords and force password change at next logon to delegate.
IMAGE GOES HERE
- Finish the wizard.
IMAGE GOES HERE
</translate>